Computer SecurityResource Center

Personal Identity Verification of Federal Employees and Contractors

Project Links

PIV Announcements

Posted March 21 2019

Presentations of the FIPS 201-3 Business Requirements Meeting are available here.

Posted February 8, 2019

Safe the date for the Federal Business Requirements Meeting for FIPS 201 Revision 3 on 3/19/19

FIPS 201, Personal Identity Verification (PIV) for Federal Employees and Contractors, will be going through a third revision soon. In preparation for the revision, NIST invites federal departments and agencies’ representatives to participate in this government-only meeting to discuss the change requests accumulated over the past five years. For more information and to register, click here. The registration deadline is 3/12/19.

POSTED June 29, 2018

NIST releases Special Publication SP 800-116 Revision 1, "Guidelines for the Use of PIV Credentials in Facility Access"

NIST is pleased to announce release of Special Publication 800-116 Revision 1, Guidelines for the Use of PIV Credentials in Facility Access. This document provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in federal facilities. The document recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to Federal Government facilities and assets. The document has been updated to Revision 1 to align with FIPS 201-2. See summary of the high-level changes.

POSTED May 9, 2017

Mid-Year 2016, the NIST PIV Validation Program proposed a transition plan to move from RNG to DRBG-based PIV cards by the end of June 2017. This transition was initiated because agencies indicated that agencies and vendors are not yet able to migrate to SP 800-90A DRBG PIV cards.

However, as the June 2017 date approaches, it has become apparent that another extension is necessary to issue and use RNG PIV cards until DRBG PIV cards are validated and available with compatible card management software.

To allow an orderly transition to DRBG PIV cards, the PIV Validation Program will grant an additional one-year extension through June 30, 2018. This allows affected PIV Card vendors time to complete CMVP- and PIV-based validation as well as grant additional time to prepare update or deploy any other components that may be necessary to issue or use the new DRBG PIV Cards.

According to this revised transition plan, agencies may continue to issue cards using implementations marked as “legacy” on the NPIVP validation list until June 30, 2018. Future procurements of any legacy PIV cards that may be needed during this transition should be planned to minimize excess legacy card stock at the time of this deadline.

However, agencies should migrate to fully compliant cards implementing approved DRBGs as soon as DRBG PIV cards and the compatible card management software are commercially available. Once issued, these “legacy” RNG PIV cards may be used until their expiration date - up to June 30, 2024.

POSTED August 6, 2016

Beginning in 2016, the CMVP enforced RNG transition, requiring new modules to implement the SP 800-90A DRBGs, and requiring vendors to update previously validated modules to remain on the active validation list. NPIVP, which relies on the CMVP for cryptographic module testing, also enforced this transition, and is requiring the use of validated DRBGs in PIV cards.

However, feedback from agencies has indicated that vendors are not yet able to migrate to SP 800-90A DRBG PIV cards. As a result, the legacy RNG PIV cards will continue to be issued and used until DRBG PIV cards are available with compatible card management software.

To support the migration of PIV cards to DRBGs, the PIV Validation Program proposes a one-year conditional transition plan ending by June 30, 2017, that allows the continued issuance and use of previously validated PIV cards using legacy RNGs that do not pose an immediate security risk.

According to this transition plan, agencies may continue to procure and issue cards using implementations marked as “legacy” on the NPIVP validation list until June 30, 2017. However, the agencies should migrate to fully compliant cards implementing approved DRBGs as soon as DRBG PIV cards and the compatible card management software are commercially available. Once issued, these “legacy” RNG PIV cards may be used until their expiration date - up to June 30, 2023.

POSTED August 5, 2016

NPIVP laboratories have received the SP 800-73-4 Test Runner and have commenced testing and evaluation of PIV Card Application and PIV Middleware implementation based on SP 800-73-4. The tool is also available for download by the general public – including vendors who can accelerate the validation process by fine-tuning implementations with the tool before submitting the products to NPIVP labs. Use the following link to download the Test Runner

POSTED May 23, 2016

NIST Releases Special Publication 800-156, Representation of PIV Chain-of-Trust for Import and Export

NIST is pleased to announce the release of Special Publication 800-156, Representation of PIV Chain-of-Trust for Import and Export. The document provides the data representation of a chain-of-trust record for the exchange of records between PIV Card issuers. The exchanged record can be used by an agency to personalize a PIV Card for a transferred employee, or by a service provider to personalize a PIV Card on behave of client federal agencies. The data representation is based on a common XML schema to facilitate interoperable information sharing and data exchange. The document also provides support for data integrity through digital signatures and confidentiality through encryption of chain-of-trust data in transit and at rest.

POSTED April 21, 2016

NIST Releases the final version of "Best Practices Guide for Personal Identity Verification (PIV)-enabled Privileged Access"

POSTED April 13, 2016

Special Publication (SP) 800-85A-4 provides derived test requirements and test assertions for testing PIV Middleware and PIV Card Applications for conformance to specifications in SP 800-73-4, Interfaces for Personal Identity Verification, and SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. The document has been updated to include additional tests necessary to test the new features added to the PIV Data Model and card interface as well as to the PIV Middleware in SP 800-73-4 Parts 1, 2, and 3.

POSTED February 5, 2016

This draft white paper is a best practices guide. The paper is in response to the Cybersecurity Strategy and Implementation Plan (CSIP), published by the Office of Management and Budget (OMB) on October 30, 2015, requiring Federal agencies to use Personal Identity Verification (PIV) credentials for authenticating privileged users. The paper outlines the risks of password-based single-factor authentication, explains the need for multi-factor PIV-based user and provides best practices for agencies to implementing PIV authentication for privileged users.

POSTED December 29, 2015

NIST announces that Draft Special Publication (SP) 800-156, Representation of PIV Chain-of-Trust for Import and Export is available for public comment

NIST announces that Draft Special Publication (SP) 800-156, Representation of PIV Chain-of-Trust for Import and Export, is now available for public comment. This document provides the data representation of a chain-of-trust record for the exchange of records between issuers. The exchanged record can be used by an agency to personalize a PIV Card for a transferred employee, or by a service provider to personalize a PIV Card on behave of client federal agencies. The data representation is based on a common XML schema to facilitate interoperable information sharing and data exchange. The document also provides support for data integrity through digital signatures and confidentiality through encryption of chain-of-trust data in transit and at rest.

POSTED December 28, 2015

NIST Announced Release of DRAFT Special Publication 800-116 Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)
December 28, 2015

NIST is pleased to announce the public comment release of Draft Special Publication 800-116 Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). This document provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in federal facilities. The document recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to Federal Government facilities and assets. The document has been updated to Revision 1 to align with FIPS 201-2. High-level changes include:

Addition of the OCC-AUTH authentication mechanisms introduced in FIPS 201-2.

In light of the deprecation of the CHUID authentication mechanism in FIPS 201-2 and its expected removal in the next revision of FIPS 201:

Removal of the CHUID +VIS authentication mechanism from the list of recommended authentication mechanisms

Addition of a new section (5.3.1) titled “Migrating Away from the Legacy CHUID Authentication Mechanism” to aid in the transition away from the CHUID + VIS authentication mechanism

In coordination with OMB, added text indicating that the use of the CHUID authentication mechanism past September 2019 requires the official that signs an Authorization to Operate (ATO) to indicate acceptance of the risks

POSTED July 30, 2015

Special Publication 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI) has been approved as final

NIST is pleased to announce the release of Special Publication 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). The document provides guidelines for assessing the reliability of issuers of PIV Cards and issuers of the newly introduced Derived PIV Credential for mobile devices. The document has been updated to align with the release of FIPS 201-2, published in September 2013. The major changes for this revision of SP 800-79 include additions and updates to issuer controls in response to new or changed requirements in FIPS 201-2. These are:

Updated references to the more recent credentialing guidance issued by OPM,

Addition of issuer controls with respect to the optional chain-of-trust records maintained by a PIV Card issuer, and.

Modified process to include an independent review prior to authorization of issuer.

POSTED June 18, 2015

NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key has been approved as final & is now available

NIST is pleased to announce the release of NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key. The document provides clarification for the requirement in FIPS 201-2 that a PIV cardholder perform an explicit user action prior to each use of the digital signature key stored on the card. The document clarifies the requirement for “explicit user action” and specifies a range of PIN caching options that maintains the goal of ‘explicit user action’ while adhering to consistent and reliable level of security. The document will encourage the development of compliant applications and middleware that use the digital signature key.

POSTED June 8, 2015

NIST announces that Draft Special Publication (SP) 800-85A-4, PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance), is now available for public comment. This document provides derived test requirements and test assertions for testing PIV Middleware and PIV Card Applications for conformance to specifications in SP 800-73-4, Interfaces for Personal Identity Verification. The document has been updated to include additional tests necessary to test the new features added to the PIV Data Model and card interface as well as to the PIV Middleware in SP 800-73-4 Parts 1, 2, and 3.

#1: NIST is pleased to announce the release of Special Publication 800-73-4, Interfaces for Personal Identity Verification. This document has been updated to align with Final FIPS 201-2 and to reflect the disposition of comments that were received on the first and second draft of SP 800-73-4, published in May 2013 and May 2014, respectively. The complete set of comments and dispositions is provided below.

High level changes from SP 800-73-3 to SP 800-73-4 include:

Removal of Part 4, The PIV Transitional Data Model and Interfaces;

The addition of specifications for secure messaging and the virtual contact interface, both of which are optional to implement;

Inclusion of clarifying information about the virtual contact interface and the use of the pairing code;

The specification of an optional Cardholder Universally Unique Identifier (UUID) as a unique identifier for a cardholder;

The specification of an optional on-card biometric comparison mechanism, which may be used as a means of performing card activation and as a PIV authentication mechanism;

The addition of a requirement for the PIV Card Application to enforce a minimum PIN length of six digits;

In collaboration with the FICAM FIPS 201 Test Program reduced some of the PIV Card options where possible.

#2: NIST announces the release of Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. The document has been updated to align with updates in SP 800-73-4. The document reflects the disposition of comments that were received on the first and second draft of SP 800-78-4, which was published in May, 2013 and May 2014, respectively. In particular, the following changes were introduced in SP 800-78-4:

Removal of information about algorithms and key sizes that can no longer be used because their "Time Period for Use" is in the past;

Clarified that RSA public keys may only have a public exponent of 65 537. (Client applications are still encouraged to be able to process RSA public keys that have any public exponent that is an odd positive integer greater than or equal to 65 537 and less than 2256.)

The NIST PIV Validation Program (NPIVP) has updated its PIV Middleware and PIV Card Application Validation lists to reflect the FIPS 201-2 implementation schedule. This schedule requires that beginning 09/05/14, new and replacement cards issued by Department and Agencies have to conform to FIPS 201-2 when on-boarding or when replacing PIV Cards as they expire over the next 5 years.

The impact for the NPIVP Validation Program is that some cards with FIPS 201-1 conformant PIV Card Applications have to be removed from the validation list. Only a few cards on the validated list are affected. This is due to the fact that to meet the FIPS 201-2 compliance requirements all that is required is that some of the previously optional PIV Card credentials under FIPS 201-1 must be present in FIPS 201-2 (as they are now mandatory). The Removed Products List (RPL) is now available. The effect on validated PIV Middleware, is broader. PIV Middleware is required to support all functionality (function calls/credentials) of a fully loaded PIV Card. Since SP 800-73-1 and SP 800-73-2 PIV Middleware do NOT support new FIPS 201-2-functionality, they have to be placed on the RPL. The PIV Middleware RPL is also available. Note: The PIV Middleware listed in the SP 800-73-3 PIV Middleware Validation list remains valid and will not be removed. These implementations support the optional credentials/functionality, which now are mandatory under FIPS 201-2.

Finally, the NPIVP validation Authority also removed validated PIV Card Applications that remain in a ‘pending’ state for FIPS 140-2 lasting 3 years or longer. These card applications never received FIPS 140-2 validation, and thus are not allowed to be used by USG.

NIST produced a revised version of NIST Special Publication SP 800-85B PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test new features added to the PIV Data Model in SP 800-73-4 Parts 1. This document, after a review and comment period, will be published as NIST SP 800-85B-4. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to piv_comments@nist.govwith "Comments on Public Draft SP 800-85B-4" in the subject line.

NIST announces that Draft Special Publication 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI), is now available for public comment. This document has been updated to align with the release of FIPS 201-2, published in September 2013. The major changes for this revision of SP 800-79 include additions and updates to issuer controls in response to new or changed requirements in FIPS 201-2. These are:

• Inclusion of issuer controls for Derived PIV Credentials Issuers (DPCI),
• Addition of issuer controls for issuing PIV Cards under the grace period and for issuing PIV Cards to individuals under pseudonymous identity,
• Addition of issuer controls for the PIV Card’s visual topography,
• Updated issuer controls to detail controls for post-issuance updates of PIV Cards,
• Updated references to the more recent credentialing guidance issued by OPM,
• Addition of issuer controls with respect to the optional chain-of-trust records maintained by a PIV Card issuer, and.
• Modified process to include an independent review prior to authorization of issuer.

Draft #1: NIST announces that Revised Draft Special Publication 800-73-4, Interfaces for Personal Identity Verification, is now available for public comment. This document has been updated to reflect the disposition of comments that were received on the first draft of SP 800-73-4, which was published on May 13, 2013. The complete set of comments and dispositions is provided below (see last link for this draft on Drafts page titled "Comments Received & Disposition from May 2013 draft to Revised Draft SP 800-73-4").

High level changes include:

A new data object has been created from which the value of the pairing code may be read, and additional clarifying information about the use of the pairing code has been provided.

In collaboration with the FICAM FIPS 201 Test Program (in response to comment # GSA-3), reduced some of the PIV Card options where possible, including deprecating:

Removed the two new optional data elements from the Discovery Object and created new data objects to store this new information.

Modified the key-establishment protocol to add additional details and to address security issues that were raised in the public comments and in “A Cryptographic Analysis of OPACITY.”

NIST also requests comments on the pairing code, which is part of the new Virtual Contact Interface (VCI) of the PIV Card. Its purpose is to prevent skimming of cardholder data in wireless environment by an unauthorized wireless reader in the vicinity of the cardholder and to ensure that ‘cardholder consent’ for the release of cardholder data is enabled. The pairing code is part of the Virtual Contact Interface that provides for communication and enables wireless transactions between the PIV Card and NFC-enabled devices for authentication, signing or encryption. NIST assesses that the pairing code concept is the optimum method available to provide mitigation against a skimming threat.

NIST has received some comments objecting to the use of a pairing code to protect data against skimming in wireless environment and strongly recommending that this be removed. NIST is interested in receiving feedback on whether the new skimming protection measure shall be included on all PIV Cards that implement the VCI, or if it departments and agencies that issue the cards shall have the ability to disable this security control if there are specific use cases that conflict with pairing code function and alternate mitigating controls are available and identified.
(Endnote: Until now, signing and encryption functionalities have been restricted to the PIV Card’s contact interface and thus skimming has not been an issue)

Draft #2: NIST announces that Revised Draft Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, is now available for public comment. The document has been modified to remove information about algorithms and key sizes that can no longer be used because their "Time Period for Use" is in the past. Revised Draft SP 800-78-4 also reflects changes to align with updates in Revised Draft SP 800-73-4. This document has been updated to reflect the disposition of comments that were received on the first draft of SP 800-78-4, which was published on May 13, 2013. The complete set of comments and dispositions is provided below (see last link for this draft on Drafts page titled "Comments Received & Disposition from May 2013 draft to Revised Draft SP 800-78-4".

#2 NIST announces release of Draft NIST IR 7981, Mobile, PIV, and Authentication for public comment. NIST IR 7981 analysis and summarizes various current and near-term options for remote authentication with mobile devices that leverage both the investment in the PIV infrastructure and the unique security capabilities of mobile devices.